Towards Automated Learning of Access Control Policies Enforced by Web Applications

Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies Pub Date : 2023-05-24 DOI:10.1145/3589608.3594743

Padmavathi Iyer, A. Masoumzadeh

{"title":"Towards Automated Learning of Access Control Policies Enforced by Web Applications","authors":"Padmavathi Iyer, A. Masoumzadeh","doi":"10.1145/3589608.3594743","DOIUrl":null,"url":null,"abstract":"Obtaining an accurate specification of the access control policy enforced by an application is essential in ensuring that it meets our security/privacy expectations. This is especially important as many of real-world applications handle a large amount and variety of data objects that may have different applicable policies. We investigate the problem of automated learning of access control policies from web applications. The existing research on mining access control policies has mainly focused on developing algorithms for inferring correct and concise policies from low-level authorization information. However, little has been done in terms of systematically gathering the low-level authorization data and applications’ data models that are prerequisite to such a mining process. In this paper, we propose a novel black-box approach to inferring those prereq-uisites and discuss our initial observations on employing such a framework in learning policies from real-world web applications.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"17 1","pages":"163-168"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3589608.3594743","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Obtaining an accurate specification of the access control policy enforced by an application is essential in ensuring that it meets our security/privacy expectations. This is especially important as many of real-world applications handle a large amount and variety of data objects that may have different applicable policies. We investigate the problem of automated learning of access control policies from web applications. The existing research on mining access control policies has mainly focused on developing algorithms for inferring correct and concise policies from low-level authorization information. However, little has been done in terms of systematically gathering the low-level authorization data and applications’ data models that are prerequisite to such a mining process. In this paper, we propose a novel black-box approach to inferring those prereq-uisites and discuss our initial observations on employing such a framework in learning policies from real-world web applications.

查看原文本刊更多论文

Web应用程序访问控制策略的自动学习

获取应用程序执行的访问控制策略的准确规范对于确保它满足我们的安全/隐私期望至关重要。这一点尤其重要，因为现实世界中的许多应用程序处理大量不同的数据对象，这些数据对象可能具有不同的适用策略。我们研究了从web应用程序中自动学习访问控制策略的问题。现有的访问控制策略挖掘研究主要集中在开发从底层授权信息中推断出正确、简洁策略的算法。然而，在系统地收集低级授权数据和应用程序的数据模型方面做得很少，而低级授权数据和应用程序的数据模型是这种挖掘过程的先决条件。在本文中，我们提出了一种新的黑盒方法来推断这些先决条件，并讨论了我们在使用这种框架从现实世界的web应用程序中学习策略时的初步观察。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies

自引率

0.00%

发文量